Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 14:37 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe
-
Size
381KB
-
MD5
7955ce3d796ca8a03a55d2edefd32f25
-
SHA1
5725494c18c0f3f32fcd5a5c01ad8a09e8ee7831
-
SHA256
aac971e1ff6dcb52dac8ee0749261f8995ebe3c870511e9f3ea291882d6e41b0
-
SHA512
6e5141863878e855b40c6c95ae6658ef8f6bad01a3f1b127675e6d6d7c3fcf2a2f7d85425388594ff4e80d67e5a7c5d2d78fd630914cba291860c74156b34c08
-
SSDEEP
6144:P9mIRKIXJMFy/x3gC/j4fGyUFvyuja3Xcbp/jXv7TYJwKumRCBF1CgVAtEPm2/2:715oy/e4j4fGcum3Xct/DYJwKuNLQgVS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" mstwain32.exe -
ModiLoader Second Stage 14 IoCs
resource yara_rule behavioral1/memory/2680-45-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-47-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-51-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-54-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-50-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-49-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-58-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-59-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-60-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-61-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-77-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-67-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2124-130-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/2124-131-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
pid Process 1756 mstwain32.exe 1776 mstwain32.exe 2124 mstwain32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe File opened for modification C:\Windows\SysWOW64\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe File created C:\Windows\SysWOW64\mstwain32.exe mstwain32.exe File opened for modification C:\Windows\SysWOW64\mstwain32.exe mstwain32.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2348 set thread context of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2360 set thread context of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 1756 set thread context of 1776 1756 mstwain32.exe 37 PID 1776 set thread context of 2124 1776 mstwain32.exe 39 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\mstwain32.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe File opened for modification C:\Windows\mstwain32.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe File opened for modification C:\Windows\mstwain32.exe mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 1776 mstwain32.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2348 wrote to memory of 2360 2348 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 31 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2360 wrote to memory of 2680 2360 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 32 PID 2680 wrote to memory of 1756 2680 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 36 PID 2680 wrote to memory of 1756 2680 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 36 PID 2680 wrote to memory of 1756 2680 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 36 PID 2680 wrote to memory of 1756 2680 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 36 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1756 wrote to memory of 1776 1756 mstwain32.exe 37 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 PID 1776 wrote to memory of 2124 1776 mstwain32.exe 39 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe3⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\mstwain32.exeC:\Windows\mstwain32.exe \melt "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"5⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1776 -
C:\Windows\mstwain32.exeC:\Windows\mstwain32.exe6⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- System policy modification
PID:2124
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1700
Network
-
Remote address:8.8.8.8:53Requestthepiratebay.orgIN AResponsethepiratebay.orgIN A162.159.136.6thepiratebay.orgIN A162.159.137.6
-
Remote address:162.159.136.6:80RequestGET /top/301 HTTP/1.1
User-Agent: Moxilla
Host: thepiratebay.org
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:40 GMT
Location: https://thepiratebay.org/top/301
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eo8jl6wSiBIhnZe3%2FeOBEpOmABku0EPuf9vFY1V4dDTdaKdRr%2Fd706kdnztrZDt4Fb6WflghfiZf%2BmV7IC3GVyEB7M%2FOEc%2BEjqHq6Z4S8tNcBhxjsiPpY1FBjasaYZqHLghE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8492afb63be-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27096&min_rtt=27096&rtt_var=13548&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
GEThttp://thepiratebay.org/search.php?q=top100:301JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeRemote address:162.159.136.6:80RequestGET /search.php?q=top100:301 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:41 GMT
Location: https://thepiratebay.org/search.php?q=top100:301
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CLNG2CcmTYMTG38nsqZebsiWXXAtvghl%2FVO0NbAuhDOgvBGemdFDmF46wzaz7iCrrk2m9%2F5M0K9FjZBGCeePZaz%2B0PEiAZ38YOS7Y2aMjWeBgUvo3I3PrgTXj%2BesKtriDq%2Fm"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed84e094d63be-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27096&min_rtt=27096&rtt_var=13548&sent=4&recv=6&lost=0&retrans=1&sent_bytes=2066&recv_bytes=230&delivery_rate=5773&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:162.159.136.6:80RequestGET /top/401 HTTP/1.1
User-Agent: Moxilla
Host: thepiratebay.org
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:42 GMT
Location: https://thepiratebay.org/top/401
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aFmwb4lOSiF%2B8kK6yHsjibbnD6L7BL%2FObMAbCqs4npK5ZSNWhfEyizJlINaEhFdXomKHG7Qt8jY4WiRYDc9pFbjjUxZ5mJ%2FJmJsPBeeIFqgtFTYHZsQqD19RduZ5fk3Ey7Db"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8520e5163be-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51678&min_rtt=27096&rtt_var=59326&sent=5&recv=8&lost=0&retrans=1&sent_bytes=3122&recv_bytes=325&delivery_rate=6064&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
GEThttp://thepiratebay.org/search.php?q=top100:401JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeRemote address:162.159.136.6:80RequestGET /search.php?q=top100:401 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:42 GMT
Location: https://thepiratebay.org/search.php?q=top100:401
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FRmBKNf0JnS1wiAfbMMtHYYGW4V%2B7VsUvtO%2B2I2p3Dv3nUPA%2BVzceIV0IG05AOtYZgHNknSMlGb3oefwmZaDZ1wnLdqv4alYRUJ196bNTP3bm8rENWNXDkaBDuJhNScYUeHm"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed853882563be-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=73975&min_rtt=27096&rtt_var=89088&sent=6&recv=10&lost=0&retrans=1&sent_bytes=4158&recv_bytes=460&delivery_rate=6064&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:162.159.136.6:443RequestGET /top/301 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: http://thepiratebay.org/search.php?q=top100:301
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M9%2FD98Sg8%2FUAF%2BKVCiWzQW3i0NZ9EvK2ApEAYDExHZJw0T3IGhFUyRj98wlWu%2FdKgwItKB7aKu7jgMFyL1Haau81pKpVh8syRhu53LQ%2FSLuBfH0l9nhbDSki0sdDTUUOAm2C"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed84bbc70ef0d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=54286&min_rtt=26200&rtt_var=56970&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3149&recv_bytes=441&delivery_rate=129525&cwnd=253&unsent_bytes=0&cid=5c6d16f8762af8cc&ts=610&x=0"
-
GEThttps://thepiratebay.org/search.php?q=top100:301JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeRemote address:162.159.136.6:443RequestGET /search.php?q=top100:301 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Sat, 18 Jan 2025 14:37:41 GMT
Cache-Control: max-age=172800
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PUHyHvGdV7ow57%2FraoCpKmTclXtkA7i1yBXeTQ%2BIIUvUsWXZCXDsI4kmHEpkSCG1TRXGEnosolCPGI436jd7tgDjBx7ESlMxPIm%2BetHfe%2Fm0cjPB1WyeRgHyGjqnFDTfDI6D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed84e4ee8ef0d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50849&min_rtt=26200&rtt_var=49602&sent=9&recv=9&lost=0&retrans=0&sent_bytes=4219&recv_bytes=605&delivery_rate=129525&cwnd=255&unsent_bytes=0&cid=5c6d16f8762af8cc&ts=1244&x=0"
-
Remote address:162.159.136.6:443RequestGET /top/401 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: http://thepiratebay.org/search.php?q=top100:401
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DEgVuxnwcs5KzZJijwrvSQgVtW%2B7h%2FrpHbV3PI4pUou%2BWOEFYdQp5qjBmAD6WKd8%2BSHTZdNnE8zC9BgiDl7GqElZHmnJD6gSTNN%2BYBme%2BGuEjE%2FmkPrOvs4hSdIWMFgmdI6T"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8523f03ef0d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=42880&min_rtt=26200&rtt_var=32857&sent=16&recv=13&lost=0&retrans=0&sent_bytes=9246&recv_bytes=753&delivery_rate=299878&cwnd=257&unsent_bytes=0&cid=5c6d16f8762af8cc&ts=1488&x=0"
-
GEThttps://thepiratebay.org/search.php?q=top100:401JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeRemote address:162.159.136.6:443RequestGET /search.php?q=top100:401 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Sat, 18 Jan 2025 14:37:42 GMT
Cache-Control: max-age=172800
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=igWNzVMtPIE1ut6Ymp18zCW%2FwyV6gzOaxUUaRPrP9Oqk36x84%2FshAsdcegEmaelnkxOUhM9zCfh6FnTN7RVVCGHk4PWutcRG81%2FhXI0Tkg1lTt82VP3iWUWeXKCYYKEOxMCI"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed853cc48ef0d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=41066&min_rtt=26200&rtt_var=28272&sent=19&recv=15&lost=0&retrans=0&sent_bytes=10323&recv_bytes=917&delivery_rate=299878&cwnd=257&unsent_bytes=0&cid=5c6d16f8762af8cc&ts=2125&x=0"
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.178.3
-
Remote address:142.250.178.3:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 16 Jan 2025 14:10:33 GMT
Expires: Thu, 16 Jan 2025 15:00:33 GMT
Cache-Control: public, max-age=3000
Age: 1627
Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:142.250.178.3:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 16 Jan 2025 14:10:33 GMT
Expires: Thu, 16 Jan 2025 15:00:33 GMT
Cache-Control: public, max-age=3000
Age: 1628
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:162.159.136.6:80RequestGET /top/301 HTTP/1.1
User-Agent: Moxilla
Host: thepiratebay.org
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:53 GMT
Location: https://thepiratebay.org/top/301
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fMpVw%2BVoI5cTTXCq6g9%2Bbyq7jobO6%2FvhdmgUkwzcrQhrIBb0GYFTCb1VbHhpoGM9MAguEAbIMM4w5AXJkoHP0Wcrrb2aOrM6Rn%2BD7tymDn0KBpZBOptkjToUPVUvVZ%2FAYifa"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed89adb4a76ed-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27177&min_rtt=27177&rtt_var=13588&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:162.159.136.6:80RequestGET /search.php?q=top100:301 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:57 GMT
Location: https://thepiratebay.org/search.php?q=top100:301
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NTzI9bmOMPyjP1KPeeCyhYF8GbHtpR0uZZ42TOc%2B4XA%2FBbWDMIEN3sU95WS%2B5WNqSWqahpG%2BrAEOvwG85LAhXyme82gYt5Zwd521XtZ2TrUCRpSHYm02sd9gOhhCpwikzBWg"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8b10b4e76ed-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=52597&min_rtt=27177&rtt_var=61032&sent=2&recv=5&lost=0&retrans=0&sent_bytes=1033&recv_bytes=230&delivery_rate=5886&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:162.159.136.6:80RequestGET /top/401 HTTP/1.1
User-Agent: Moxilla
Host: thepiratebay.org
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:57 GMT
Location: https://thepiratebay.org/top/401
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cfLp0Js2qKnkMZmr566gZ3uvWo853Uvny9ROQ1f7vLue2UcUQiyIzyYJPot6eEIZnC2de4xPHE7npBYpdsMbIS92JGBCQmqniuzxRa4uXjWaQ%2FQ51IxXylKHVKKFr4OSxY90"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8b50fbb76ed-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=75403&min_rtt=27177&rtt_var=91385&sent=3&recv=7&lost=0&retrans=0&sent_bytes=2087&recv_bytes=325&delivery_rate=5886&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:162.159.136.6:80RequestGET /search.php?q=top100:401 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 16 Jan 2025 15:37:58 GMT
Location: https://thepiratebay.org/search.php?q=top100:401
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EzdsR6Xdo2Bn%2B7C2rMKXcjphfuHnA9P5f%2B9D5DLPsWmvjleywIk0he4bxa4B3Layl1PyDSL5s06DpNbrh4tKc26oAe1f8A19k7n0ayRz6dBgC1Ux5JfntH1O5W76CdQyfYeo"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8b6899d76ed-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=94485&min_rtt=27177&rtt_var=106704&sent=4&recv=8&lost=0&retrans=0&sent_bytes=3119&recv_bytes=460&delivery_rate=5950&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:162.159.136.6:443RequestGET /top/301 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: http://thepiratebay.org/search.php?q=top100:301
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yIs%2BsS1V%2BkxbyHXe2bW23hGXxPS%2B0qlQHNHr8qqQgmqF6vSMfr6dqPmxfhkc3r%2BfdOFQATGtHIVIj7FNz2KRja9U2KbBB9pxTeX0KJBN%2BwZFRiZUxr2dk9CRtvhGMiGe%2Faq8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8aebbb776b9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31836&min_rtt=26292&rtt_var=16290&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3149&recv_bytes=441&delivery_rate=130896&cwnd=253&unsent_bytes=0&cid=d6970f0b571a9ea7&ts=444&x=0"
-
Remote address:162.159.136.6:443RequestGET /search.php?q=top100:301 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Sat, 18 Jan 2025 14:37:57 GMT
Cache-Control: max-age=172800
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HY%2FZfgmNs8RidXVQlVxPDGiEpunXIpWwN4MmSqsqdEFDizW4AI4LpCD4JspkniMiUEOa1y7GBRHMMDSXz0o5jHogKVPUa4VfPuP6fQ8IUInCLnwf5UlisxjoWWJB6bj%2BUErk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8b14e9f76b9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31154&min_rtt=26292&rtt_var=13582&sent=9&recv=8&lost=0&retrans=0&sent_bytes=4221&recv_bytes=605&delivery_rate=130896&cwnd=255&unsent_bytes=0&cid=d6970f0b571a9ea7&ts=1091&x=0"
-
Remote address:162.159.136.6:443RequestGET /top/401 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: http://thepiratebay.org/search.php?q=top100:401
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nlngIbdSC5Fcm5fdEMT2HxHOcAua%2F6jxdm1uqiZkXTKapvZx7BoLhSPsrVSDCYX9itBWkkevvXPIHInN2MBXx22IkRRGGgHpLpMSqF68ly26afzwr7iyF%2B79fu7FitWW2Iq7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8b54bf876b9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33576&min_rtt=26292&rtt_var=13806&sent=17&recv=12&lost=0&retrans=0&sent_bytes=9244&recv_bytes=753&delivery_rate=304316&cwnd=257&unsent_bytes=0&cid=d6970f0b571a9ea7&ts=1327&x=0"
-
Remote address:162.159.136.6:443RequestGET /search.php?q=top100:401 HTTP/1.1
User-Agent: Moxilla
Connection: Keep-Alive
Cache-Control: no-cache
Host: thepiratebay.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Sat, 18 Jan 2025 14:37:58 GMT
Cache-Control: max-age=172800
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eH2WYAAU17MS%2Frk98g%2BFg61J4xxGmU1plB24fyIHHMCxLnNdbHk54Y5F1wOnZW7KsL7yJXeJI2dxe1GEdlYrjkdHJar5xX%2BnNof7491xeVvBT%2FXTdWVCMCsHyB2x%2FtffXtHd"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 902ed8b6bd8576b9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=32639&min_rtt=26037&rtt_var=12228&sent=20&recv=14&lost=0&retrans=0&sent_bytes=10311&recv_bytes=917&delivery_rate=304316&cwnd=257&unsent_bytes=0&cid=d6970f0b571a9ea7&ts=1961&x=0"
-
Remote address:8.8.8.8:53Requestsalihzeki42.no-ip.orgIN AResponse
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.252.143a1363.dscg.akamai.netIN A2.19.252.157
-
Remote address:2.19.252.143:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 346168ca-101e-0054-5d36-4c18bd000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 16 Jan 2025 14:38:12 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A95.100.245.144
-
Remote address:95.100.245.144:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: e1a81062-701e-0052-0dc9-662b02000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 16 Jan 2025 14:38:12 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV93f3d6fb.0
ms-cv-esi: CASMicrosoftCV93f3d6fb.0
X-RTag: RT
-
162.159.136.6:80http://thepiratebay.org/search.php?q=top100:401httpJaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe1.0kB 5.5kB 12 8
HTTP Request
GET http://thepiratebay.org/top/301HTTP Response
301HTTP Request
GET http://thepiratebay.org/search.php?q=top100:301HTTP Response
301HTTP Request
GET http://thepiratebay.org/top/401HTTP Response
301HTTP Request
GET http://thepiratebay.org/search.php?q=top100:401HTTP Response
301 -
162.159.136.6:443https://thepiratebay.org/search.php?q=top100:401tls, httpJaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe1.8kB 16.4kB 19 27
HTTP Request
GET https://thepiratebay.org/top/301HTTP Response
302HTTP Request
GET https://thepiratebay.org/search.php?q=top100:301HTTP Response
200HTTP Request
GET https://thepiratebay.org/top/401HTTP Response
302HTTP Request
GET https://thepiratebay.org/search.php?q=top100:401HTTP Response
200 -
606 B 5.0kB 8 6
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
898 B 4.4kB 10 6
HTTP Request
GET http://thepiratebay.org/top/301HTTP Response
301HTTP Request
GET http://thepiratebay.org/search.php?q=top100:301HTTP Response
301HTTP Request
GET http://thepiratebay.org/top/401HTTP Response
301HTTP Request
GET http://thepiratebay.org/search.php?q=top100:401HTTP Response
301 -
1.8kB 16.5kB 20 29
HTTP Request
GET https://thepiratebay.org/top/301HTTP Response
302HTTP Request
GET https://thepiratebay.org/search.php?q=top100:301HTTP Response
200HTTP Request
GET https://thepiratebay.org/top/401HTTP Response
302HTTP Request
GET https://thepiratebay.org/search.php?q=top100:401HTTP Response
200 -
399 B 1.7kB 4 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
393 B 1.7kB 4 4
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200
-
62 B 94 B 1 1
DNS Request
thepiratebay.org
DNS Response
162.159.136.6162.159.137.6
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.178.3
-
67 B 127 B 1 1
DNS Request
salihzeki42.no-ip.org
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
2.19.252.1432.19.252.157
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
95.100.245.144
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD53d9b18549c1b48f6a8e5a1bb3b460a58
SHA164f801964dd558fdff8f7e1c9a33fdc9a5dfa4a8
SHA256a0f98fe18edc6701b6bc76760d673a1e3b561a984a67a5343dd827cc281501c1
SHA512b9c0c7dc941298ab191a6a311cebaea371228f26d57f05339d571d9fbceca0a80ccd753e47700280aecd80b10923b9b33b232fdb1eccffaa32f3cf305fe7627a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5559318947122e5153ad46b91cde3864b
SHA14dc63f074fec06d1ae8994506aef613e516af441
SHA25615bf20a3275e1d57e8fa94655521a572b94ccb1f8cfeff9d61520d7f0b34e6c6
SHA512f2d9a2a68ed48d64353a2fc7fca73995e6878e2125b28e0a622b7154c54f554b33f7daea2ed79e69ade15738cdd6402888048995253f35b936f8b7cbf0ef66fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\301[1].htm
Filesize167B
MD50104c301c5e02bd6148b8703d19b3a73
SHA17436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA51284427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
381KB
MD57955ce3d796ca8a03a55d2edefd32f25
SHA15725494c18c0f3f32fcd5a5c01ad8a09e8ee7831
SHA256aac971e1ff6dcb52dac8ee0749261f8995ebe3c870511e9f3ea291882d6e41b0
SHA5126e5141863878e855b40c6c95ae6658ef8f6bad01a3f1b127675e6d6d7c3fcf2a2f7d85425388594ff4e80d67e5a7c5d2d78fd630914cba291860c74156b34c08